Security Audits: How Too Many are Dangerous

Based on a company’s size, the phrase “security audit” could be heard regularly or be mistaken as a foreign saying. Chances are most companies fall somewhere in between, in which case understanding the dangers in both levels of usage is crucial to the overall security of the system.

It’s a risk with either extreme, so the key is grasping the elements of a security audit and then forming a plan for implementing the most personally efficient method of auditing.

Security audits can be outsourced or done internally through manual and systematic techniques, the differences of which are based on personal interaction versus system trolling, said Ross Wescott, Portland General Electric Co. IT auditor.

“The difference is a manual audit would be doing interviews, perhaps review documents that they may have — certainly looking at the policies of the area — and then making assessments at that level without any substantive testing,” Wescott said. “In a systematic approach, you would do some interviews, but then you would use programs and data-mining tools to go in the system and test.

“That’s where a penetration test is part of a systematic test of the system. Of course, you can sit back and talk to people too, but it’s not quite as in-depth, and if they were trying to hide something, they could lie to you too.”

Auditors such as Wescott use a mix of manual and systematic techniques in the course of their security audits, which add an improvisational aspect to the job.

As with anything else, however, standards have developed. ISACA grants the Certified Information Systems Auditor (CISA) certification for experienced auditors to distinguish themselves. Candidates for a CISA certification must pass a written exam, agree to follow ISACA’s code of professional ethics and present evidence of at least five years of professional auditing or security work.

“A CISA will bring a level of credibility to the audit,” Wescott said. “Is it required? No — it’s not like a CPA that’s licensed. There are knowledgeable individuals who are not certified who could do things well, like security audits, inside of a company, but a CISA definitely could be able to do that.”

Even with a CISA certification, Wescott said that when certain, more invasive programs are used, especially by large, outsourced security auditors; productivity problems could arise, and if these audits are frequent, it could be very detrimental.

Wescott said he thinks no matter how qualified or experienced auditors are, someone always should be aware of their activities.

“That needs to be carefully monitored, and that’s why you just don’t give the auditor caret balance to come in and start running tools and test,” Wescott said. “Somebody ought to be assigned directly to the auditor to make sure that the company’s best interests are kept in the forefront, independent of testing.”

Another important element to companies running a security audit is time — most would say they want the most efficient audit in the least amount of time, but such an adage doesn’t exist. Wescott emphasized running a security audit could mean something simple or a daunting undertaking, depending on the size and needs of the company.

“If you’re just running a few pieces of software, scanning your network to find out what’s working and not working on your machine, it could just take a day, and then you write up the report and go away,” Wescott said. “If you’re doing a comprehensive security audit, then it spends on how big the company is. A comprehensive security audit where you’re doing interviews, software testing and running tools — that could take up to two months.”

Most of the viruses and security breaches that occur within a company a